Openstack global vs. project roles: What do they mean?

Could someone please shed some light on the role concept of Openstack? I'm confused by contradicting statements in the admin guide, strange behaviour of my Icehouse installation, and various forum responses regarding this topic.

The admin guide states that role assignments are always done in project/tenant scope. I would conclude, that the individual assignment should also only takes effect in that scope. The admin guide does not mention any concept of global roles.

However, the keystone API description does:

GET v2.0/users/{userId}/roles​?serviceId=string List global roles for a user.

To make thing worse, here is what I observe with my Keystone setup, using horizon's identity panel. Let "michael" be my user name, with the following project and role assignments, done by admin user (who in turn is admin in tenant admin):

demo1: _member_, admin

demo2: _member_

demo3:

now, logging in as user michael, I'm getting demo1 and demo2 in the context selection box at the top. That's fine, as I'm only member of these. Selecting demo2, I'm not getting any Identity panel, which also looks plausible, as I'm not admin in that project.

However, if I select demo1, I'm getting the Identity panel, and that is presenting me all projects including demo3! Plus, it allows me to assign myself to demo3, and to grant myself any role I like in demo3 and demo2!!

That's disturbing. It looks like I acquired global admin power across all projects by just being assigned to admin role in one of them? Is that intended behavior, or is it a bug?

Being there, what is the purpose of the "admin" tenant? Is being a member or an admin of this tenant supposed to introduce any more power than being admin of a mortal project? And if so, what extra power, and how is that accomplished?

1 answer

Since you are using V2.0 API , the answer is w.r.to V2.0 . Role defintion is global and role assignment is project specific

That's disturbing. It looks like I acquired global admin power across all projects by just being assigned to admin role in one of them? Is that intended behavior, or is it a bug?

That is how v2 works. "admin" is global admin (similar to root user). What you are looking is something like "project_admin" which is an admin only for project and this concept is not possible with keystone v2 api. With keystone v3 api it is possible, but you need to change all the services authorizaton policy file to add this role.

In V2, either you can do everything acorss all the servies via "admin" role assignments , or can't do anything useful/

Update 1:

Yes. No special meaning. All the services requires a service tenant to talk to keystone. They need a admin or service role on that tenant. All the services for some reason forgot about "service" role and keep on using "admin" role.
So if you create a tenant say "MyTenant" and assign to it either "admin" or "service" role and change the service configuration file ( nova.conf/swift.conf etc) to use this tenant, everythng will work. That is for service to keystone interaction. Most of the operation on a service require a user with "admin" role on any tenant. As long as you have any user who has "admin" role in any tenant, you can do any operation on a service

Comments

Thanks a lot for the clarification. Does this imply, that there is no special meaning of the tenant named "admin" (created in course of working through the installation guide)? Or is there anything being owned by this tenant, or why I should add a user to this tenant to grant admin rights?